When the FCA fined Equifax £11 million for its role in one of history’s largest cyber security breaches back in October last year, it was a stark reminder of the fragility of our data ecosystem.

Following the incident - which saw the credit bureau firm fail to manage and monitor the security of UK consumer data it had outsourced to its US-based parent company - Therese Chambers, FCA joint executive director of enforcement and market oversight, said: “The risk of identity theft never stops. Cyber criminals are sophisticated and innovative; it is imperative that firms maintain the highest standards in data protection.”

It’s true; the data that financial firms hold on customers is highly attractive to criminals, and these firms, that as consumers we’re putting our trust in, have a duty to keep it safe.

But, while Equifax certainly had a part to play in the “entirely preventable” data breach, we know any system is not without its flaws and cyber criminals will continually take advantage of that until innovation can step in and help solve some of the privacy challenges the industry faces.

Looking closer at the credit card approval process, we know the application process is highly complex, involving several entities alongside the actual applicant. Not only do you have the bank, who needs to access sensitive information about the applicant’s employment, spending, debts and other personal details, in order to assess their creditworthiness, but often credit bureaus and credit scoring agencies too, who banks turn to to find this information out.

The issue with this, from a data privacy perspective, is that there are multiple points where your highly sensitive data could be compromised; put simply, the more entities with access to your data, the greater the risk of a data breach. The entire process relies on a high level of trust between organisations to ensure that the potential of identity theft and financial fraud is not realised.

Privacy Enhancing Technologies offering greater peace of mind

In response to challenges such as this, innovation in the field of Privacy Enhancing Technologies (PET) is evolving fast. While some encryption methods are being utilised right now, other technologies hold immense promise in terms of securing sensitive data and protecting customer privacy.

In the credit card approval process, one of the most common encryption methods used is Secure Sockets Layer (SSL) or its successor, Transport Layer Security (TLS). These protocols, widely adopted by financial institutions, encrypt the communication between an applicant’s device (such as a web browser) and the financial institution’s server, ensuring that data exchanged during the application process is protected from interception by unauthorised parties.

SSL/TLS encryption plays a crucial role in significantly reducing the risk of data breaches during the credit card approval process. However, while it guarantees the transfer of private data to the bank’s servers, once it is there, it is at risk of threats such as:

• Insider threats: Insiders such as bank advisors, risk team, data analysts and IT admins have access to sensitive data and may abuse their privileges to steal sensitive data or undermine security measures, leading to potential data breaches.
• Server-side vulnerabilities: Vulnerabilities in the financial institution’s server or web application could expose sensitive data. Again, attackers may look to exploit these vulnerabilities to gain unauthorised access to the server or execute arbitrary code.

Fully Homomorphic Encryption (FHE)

Another encryption method that’s made significant advancements in recent years, but is still considered to be in its early stages of being fully realised, is Fully Homomorphic Encryption (FHE).

Seen as an ideal solution for a situation involving multiple parties - such as the credit card approval process -  it allows data to be encrypted and processed without ever needing to decrypt it. This means that sensitive data can be shared and analysed without exposing the actual information to any of the parties or the server processing it. In the context of credit scoring processes, because data from various sources can be combined and analysed to make a more informed decision, this would enable a more thorough and accurate asses.

Here’s a summary of the process:

• Step 1: Key Generation: The private key is jointly generated by the applicant, bank, and credit bureau to encrypt and decrypt data securely. The evaluation key, a public key needed for processing encrypted data, is transmitted to the server.

• Step 2: Fill in Information: Applicant bank, and credit bureau provide each private information about the applicant. Each piece of information is encrypted before being sent to the server.

• Step 3: Run FHE Evaluation: Server computes predictions using an algorithm developed by the bank (typically a Decision Tree classifier model) without decrypting any values.

• Step 4: Receive Encrypted Output and Decrypt: Encrypted output is returned to the applicant. The applicant, bank, and credit bureau collaborate to decrypt the result using their private keys. Only the applicant can see the results of his application.

• Step 5: Explain Prediction (if applicable): If the credit card is denied, the applicant can request information on the reasons of the denial, for e.g. how many years of employment would be needed to get an approval.

With FHE, each party’s data remains confidential, addressing several of the threats facing SSL/TLS encryption methods mentioned earlier.In the case of server-side vulnerabilities, for example, even if attackers gain access to the server or exploit vulnerabilities in the server-side software, they cannot access the decrypted data, nor can those looking to attack from the inside. As a result, the risk of data leaks or breaches is significantly minimised, addressing major privacy concerns.

While FHE offers a sophisticated solution to the delicate balance between data utility and confidentiality, this is one of the technologies still facing hurdles in terms of its efficiency and practicality.

However, ongoing research and development efforts are currently focused on addressing the remaining challenges and improving the efficiency, scalability, and usability of FHE for various applications - one of which we hope will be the credit card application process in the not too distant future.

[